Description

If ModelAdmin is subclassed to override has_change_permission() to provide row-level change permissions, it's possible to edit an object, click save, and be redirected to the list of all such objects and get a Permission Denied error page. The attached patch checks for the appropriate permissions and does the right thing. This sort of check exists elsewhere in the file, just not here.

Thanks for the report rlaager. The behaviour should actually be slightly different from that in your patch. Like the 'add' view, it should redirect to the admin's root page if there are no appropriate 'change' permissions. The new patch fixes that and also contains thorougher tests for row level 'change' permissions.

Looks good; my only suggested improvement would be to use named URL lookup instead of ../ and ../../../. However, that's easy enough to pick up on commit, so if you don't get around to updating the patch, I'll do it when I commit.

Fixed #11513 -- Ensure that the redirect at the end of an object change won't redirect to a page for which the user doesn't have permission. Thanks to rlaager for the report and draft patch, and to Julien Phalip for the final patch.

[1.2.X] Fixed #11513 -- Ensure that the redirect at the end of an object change won't redirect to a page for which the user doesn't have permission. Thanks to rlaager for the report and draft patch, and to Julien Phalip for the final patch.